Please help us continue to provide you with free, quality journalism by turning off your ad blocker on our site.

Thank you for signing in.

If this is your first time registering, please check your inbox for more information about the benefits of your Forbes account and what you can do next!

I agree to receive occasional updates and announcements about Forbes products and services. You may opt out at any time.

I'd like to receive the Forbes Daily Dozen newsletter to get the top 12 headlines every morning.

Forbes takes privacy seriously and is committed to transparency. We will never share your email address with third parties without your permission. By signing in, you are indicating that you accept our Terms of Service and Privacy Statement.

Machine learning systems and innovative deep learning mechanisms that assure prospects of the bright and glittering future are in fact exceedingly vulnerable to cyberattacks. Like any technology, artificial intelligence (AI) is burgeoning into the mainstream while its security takes a back seat.

Not long ago, I wrote an article on adversarial examples, one of the most common types of attacks on artificial intelligence. Imagine if a perpetrator hacks a face recognition system by applying special glasses to a picture. The picture with the glasses makes the AI's neural network confused, and it recognizes a completely different person. Although this topic is raised in a lot of research papers, addressing dozens of potential defense measures, hackers are still ahead.

Adversarial examples are not the only way to trick AI. These are three more weird attacks that demonstrate that Skynet is on its way.

Privacy Threats, Model Inversion

Protecting the privacy of sensitive samples (e.g., personal medical records, employee information, financial data, etc.) included in a dataset has become a new security concern about machine learning. This threat is particularly severe in machine learning as a service (MLaaS).

One way hackers access this sensitive data is by getting the network to pass data on which it was trained. We can identify a certain person in a face recognition system and receive a relatively accurate version of the image that was in the training dataset. This means that an untrusted end user is able to send a carefully crafted input to the model and use an output to learn the training data. Black-box attacks with no auxiliary hacker’s knowledge may take hundreds of thousands of requests and last approximately one hour, according to a study. However, other research papers state that an attack can go on for as long as a few months in some cases.

In addition to obtaining data from the dataset, a hacker is able to test whether a particular image was in the dataset (i.e., membership inference attack) or gain some insight into the type of data -- for example, if the training data contained pictures of a particular race (i.e., attribute inference attack).

AI Backdoors

The next attack was highlighted in 2017. The idea was adopted from one of the oldest IT concepts: so-called backdoors. Researchers thought of teaching a neural network to solve not only the main task but also for specific ones.

The attack has the potential to occur globally based on two main principles. The first one is that convolutional neural networks for image recognition represent large structures formed of millions of neurons. In order to make minor changes in this mechanism, all that's necessary is to modify a small number of neurons.

The second peculiarity is that operating models of neural networks that are able to recognize images such as Inception or ResNet are complicated. They are trained with tremendous amounts of data and computing power, which is almost impossible for small and medium-sized companies to recreate. That’s why many companies that process images like MRI or carcinoma shots reuse the pre-trained neural networks of large companies. Therefore, the network originally aiming to recognize celebrities’ faces starts to detect cancerous tumors.

Malefactors can hack a server that stores public models and upload their own model with a backdoor and the neural network models will keep the backdoor hackers made even after the model has been retrained.

As an example, NYU researchers demonstrated that backdoors built into their road sign detector remained active even after they retrained the system to identify Swedish road signs instead of their U.S. counterparts. In practice, it’s hardly possible to detect these backdoors if you are not an expert. Fortunately, not that long ago, researchers discovered a solution, but I can say with certainty that this mechanism will also be bypassed in the future.

Availability Threats: Adversarial Reprogramming

Researchers showed fantastic findings on a new type of attack called adversarial reprogramming. As the name implies, the mechanism is based on remote reprogramming of the neural network algorithms with the use of special images. The example attack may seem simple, but it gives a fertile ground for future attacks.

The researchers provided an uncomplicated instance. Adversarial attacks allowed them to create some images that resembled a specific noise and several small white squares inside a big black square. They chose the pictures in the way that, for example, the network considered the noise with a white square on a black background to be a dog, and the noise with two white squares to be a cat, etc. There were 10 pictures in total.

Consequently, the researchers took a picture with the exact number of white squares as an input, and the system produced the result with a particular animal. The response made it possible to see the number of squares in the picture. In fact, their face recognition system then calculated white squares.

The researchers didn’t stop there. They built small pictures in the noise, and their network originally designed to recognize images of animals then classified celebrities’ faces.

The given case illustrates that it’s possible to make the system solve completely different tasks, not only the one originally programmed by a creator. Hackers can use the resources and engine of some cloud AI service for their own benefit.

Summary

There is no solution to these risks now, that’s why I can only recommend some trite things. If you decide to use ready-made models, be extremely careful when checking their origins -- download several copies and compare them.

In terms of the latest attacks, it’s better to monitor requests to AI systems to see who uses them, how they're used and whether there is any anomalous data flow. In other words, you should apply AI for securing your AI to avoid being compromised by another AI. This is the world we live in.